Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
The hacker group has become a major player in cyberattacks on government agencies.
The Iranian hacking group UNC1860, allegedly linked to Iran's Ministry of Intelligence and Security (MOIS), continues to carry out cyberattacks on government and telecommunications networks in the Middle East.
According to Mandiant, the group uses specialized tools and passive backdoors to gain and transfer long-term access to targeted systems to other hackers, making UNC1860 one of the key players in the field of initial network penetration.
UNC1860 facilitated access for destructive attacks on Israel in October 2023 using the BABYWIPER wiper and Albania in 2022 using the ROADSWEEP program. Although there is no direct evidence of UNC1860's involvement in the attacks yet, experts note the presence of TEMPLEPLAY and VIROGREEN tools, which were probably designed to transfer control during operations.
The main arsenal of UNC1860 includes a set of passive backdoors and utilities that allow you to gain a foothold in the victim's network for a long time. One such example is the Windows kernel driver, which has been redesigned from Iranian antivirus software, demonstrating the group's high proficiency in reverse engineering Windows components. Using tools like these allows the team to effectively evade detection by security tools.
In addition, UNC1860 actively exploits vulnerabilities in Internet servers to install web shells and further attacks. For example, in 2020, the victim's infrastructure was used to scan IP addresses in Saudi Arabia in order to find vulnerabilities. Hackers have also attacked VPN servers and verified credentials, demonstrating a desire for long-term control over systems.
In addition to working as an independent cybercriminal, UNC1860 cooperates with another Iranian group, APT34, which confirms the role of hackers in providing initial access to networks for further attacks. A characteristic feature of UNC1860 is the use of non-standard data encryption and encryption solutions in order to bypass threat detection systems.
Mandiant also notes that UNC1860 has extensive capabilities to use the access gained, including managing infected machines through specialized GUI controllers. Such tools provide remote operators with the ability to easily execute commands, upload and download files, and establish connections for further network penetration.
Experts warn that UNC1860 remains one of the most dangerous cyber threats in the region, continuing to develop its tactics and tools. The current tensions in the Middle East can only contribute to a further increase in the group's activity in the region.
In June 2024, Mandiant Managed Defense specialists discovered the UNC2970 cyberespionage group, which is associated with North Korea. Later that month, Mandiant experts recorded phishing attacks in which hackers posed as an energy company and an organization in the aerospace industry.
Mandiant experts note that such attacks by the UNC2970 group are aimed at gaining access to strategic information, and their activities overlap with another North Korean group, TEMP. Hermit, which has been active since 2013.
Earlier in 2023, specialists from Mandiant claimed that North Korean hackers are targeting cybersecurity researchers and media organizations in the United States and Europe with fake job offers that lead to the deployment of three new malware families.
Source
The Iranian hacking group UNC1860, allegedly linked to Iran's Ministry of Intelligence and Security (MOIS), continues to carry out cyberattacks on government and telecommunications networks in the Middle East.
According to Mandiant, the group uses specialized tools and passive backdoors to gain and transfer long-term access to targeted systems to other hackers, making UNC1860 one of the key players in the field of initial network penetration.
UNC1860 facilitated access for destructive attacks on Israel in October 2023 using the BABYWIPER wiper and Albania in 2022 using the ROADSWEEP program. Although there is no direct evidence of UNC1860's involvement in the attacks yet, experts note the presence of TEMPLEPLAY and VIROGREEN tools, which were probably designed to transfer control during operations.
The main arsenal of UNC1860 includes a set of passive backdoors and utilities that allow you to gain a foothold in the victim's network for a long time. One such example is the Windows kernel driver, which has been redesigned from Iranian antivirus software, demonstrating the group's high proficiency in reverse engineering Windows components. Using tools like these allows the team to effectively evade detection by security tools.
In addition, UNC1860 actively exploits vulnerabilities in Internet servers to install web shells and further attacks. For example, in 2020, the victim's infrastructure was used to scan IP addresses in Saudi Arabia in order to find vulnerabilities. Hackers have also attacked VPN servers and verified credentials, demonstrating a desire for long-term control over systems.
In addition to working as an independent cybercriminal, UNC1860 cooperates with another Iranian group, APT34, which confirms the role of hackers in providing initial access to networks for further attacks. A characteristic feature of UNC1860 is the use of non-standard data encryption and encryption solutions in order to bypass threat detection systems.
Mandiant also notes that UNC1860 has extensive capabilities to use the access gained, including managing infected machines through specialized GUI controllers. Such tools provide remote operators with the ability to easily execute commands, upload and download files, and establish connections for further network penetration.
Experts warn that UNC1860 remains one of the most dangerous cyber threats in the region, continuing to develop its tactics and tools. The current tensions in the Middle East can only contribute to a further increase in the group's activity in the region.
In June 2024, Mandiant Managed Defense specialists discovered the UNC2970 cyberespionage group, which is associated with North Korea. Later that month, Mandiant experts recorded phishing attacks in which hackers posed as an energy company and an organization in the aerospace industry.
Mandiant experts note that such attacks by the UNC2970 group are aimed at gaining access to strategic information, and their activities overlap with another North Korean group, TEMP. Hermit, which has been active since 2013.
Earlier in 2023, specialists from Mandiant claimed that North Korean hackers are targeting cybersecurity researchers and media organizations in the United States and Europe with fake job offers that lead to the deployment of three new malware families.
Source
